Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

trojanspy.tml.smitfraud.com [resolved]

doug_lord

Posted 18 April 2005 - 02:43 PM

doug_lord

Member

Member

16 posts

I picked up the smitfraud trojan two days ago, seemed to correlate with my Norton virusscan software advising me hat my subscription had elapsed.I have the lue screen wallpaper and have run a few downloaded programmes to try to remove to no avail.The laptop has always been slow but now it is next to stationary.I'd really appreciate help in removing the virus, removing the blue screen and optimising the system.

g2i2r4

Posted 04 May 2005 - 10:48 AM

g2i2r4

retired HiJack Helper

Retired Staff

5,080 posts

Download 'SpSeHjfix' to the desktop.Rightclick a blank part of the desktop and select new folder, call it ‘spfix’.Unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.Run 'SpSeHjfix' and click on "Start Disinfection".When it's finished it will reboot your computer to finish the cleaning process.The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers, it will say system clean and not go on to next stage.

Now run the CWShredder - Hit The FIX button!

Reboot and post a fresh log using HijackThis and the log that was created by 'SpSeHjfix'.

g2i2r4

Posted 05 May 2005 - 07:00 AM

For the duration of this fix, please disable AOL's spyware protection program. It may think that what we are doing now is an attack and stop the changes.

***

You have Spybot S&D's protection running which is good, but we need you to disable it for the remainder of the fix as it will interfere with the registry changes being made.Open Spybot S&D in advanced mode, click Tools > Resident, and remove the check from "Resident Tea-Timer" and 'SD helper'. Reboot after unchecking the entry.

***

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later. Be sure to follow ALL instructions!

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

* Download and install Registrar Lite.* Double click the purple Registrar Lite icon on your desktop.* Copy the line in the box below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

* Click the "Go" button.* It will take you into the "Policies" folder.* Locate the "System" folder (in the right panel)* If found, right-click on the System folder and go to Delete* Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

***

Download HosterUnzip it to a convenient place and open the program.Choose "Restore Original Hosts" and press "OK". Close the program.

***

Download: deldomains.To use: right-click and select: Install (no need to restart)Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

There may also be a number of icons in the system folder that don't belong. Here are some examples:

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect

***

Download this scanner:ewido.Install it and doubleclick the icon on your desktop.Let it update.Then, let it do a full run, and copy the log. Past it to a blank Notepad file and save it to post here.Than let it rerun. Save that log too.

***

Post back here in this topic using the button ‘add reply’:The results from the AV scan and a fresh log using HijackThis.

doug_lord

Posted 05 May 2005 - 05:42 PM

doug_lord

Member

Topic Starter

Member

16 posts

I have got as far as attempting to remove the programmes using explorere and have decided to call a halt for two reasons:
One it is late and I'm falling asleep.
Two the instructions I have attempted to follow have not all been possible:

The hidden files were already showing

HJT could not see any of
Security IGuard
Virtual Maid
Search Maid
And only found the C:\WINNT\mm15201518.Stub.exe process.

Killbox may or may not have worked

None of the files listed were visible in explorer inluding Log Files
NB I cannot follow the path C: Windows , System 32 is in WINNT.

I am hoping that all of this means that my system is cleaner than we thought but would like your guidance before I proceed.

Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect.

***

* Please click this link to download Silent Runners.* Save it to the desktop.* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

***

Open Hijackthis, click "Open the Misc Tools section"Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).Then click "Generate StartupList log"Click "Yes" to the box that pops-up. It will open a notepad file. Copy and past the content of that file here in your answer.

----------This report excludes default entries except where indicated.To see *everywhere* the script checks and *everything* it finds,launch it from a command prompt or a shortcut with the -all parameter.----------

g2i2r4

Posted 08 May 2005 - 01:52 PM

g2i2r4

retired HiJack Helper

Retired Staff

5,080 posts

Please remove Spy Hunter completely from your computer.Read more about it on this page.

Then reboot.

Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect..